(1) Middleware related features
Architecture
- modular architecture
- comparable to an operating system
- consistent service concept
- extensibility through creation of own services and service
providers
- hierarchical service namespace allows fine-grained security
enforcement
Adminstration/Maintenance
- command shell which is as powerful as a UNIX shell
- scripting simplifies configuration and bootstrapping
- flexible configuration and monitoring during runtime
- remote login (Telnet, Telnet over SSL/TLS)
- services/modules are individually configurable
- graphical user interfaces for service management
Web interface
- Web servlet framework (compatible to Tomcat's servlet framework)
- integrated mechanism to provide web resources (images, etc.)
temporarily for dynamic Web page presentation
- integrated HTTP and HTTPS server, the later enforcing client
authentication during SSL/TLS handshake if needed
Web service framework
- transparent, and fully automated support of Web services
- automatic server resp. client stub generation from regular Java classes
during runtime
- UDDI-based service management for service provisioning and
discovery
- use of unequivocal service identifiers based on hashcode over the
interface's method signature
- Web services based communication layer between distributed SicAri
platforms further provides interoperability with foreign service
infrastructures
(2) Security related features
Flexible creation and specification of security policies
- role-based security policies (RBAC, Role-Based Access Control)
- security policies specified in RBAC-compliant XACML
- fine granular rights management
Sandboxing of executed components, if necessary
- service environment as the only interaction interface between services
and/or applications
- various proxy modules wrap services within environment
to ensure proper isolation (security context switch, thread context
switch, etc.)
- individual thread group for each authenticated user on the local
platform
- strictly controlled access to service environment and basic kernel
features
Authentication and Authorization
- authentication based on Java's Authentication and Authorization
Service (JAAS)
- support for username/password-, softtoken- (i.e. keystore files),
smartcard-, and SSL/TLS-based user authentication
- provision of local, glocal, and remote authentication schemes within
the SicAri infrastructure
- support for mobile JavaME-based clients and other non-SicAri
systems
- signed ASN.1- or SAML-based security token as result of successful
user authentications
- SicAri security token especially allows service authorization
during accessing to remote service platform
- use of current Web services security standards to handle and transmit
security tokens between distributed platforms (e.g. as SAML-conform
security token)
Identity and key management
- integrated support for local file-based and global LDAP-based
identity management
- usage of file based and LDAP-based certificate stores
- intrinsic support of cryptographic key material for user
authentication, data encryption, and digital signature generation
Holistic policy management
- concept for security policy management comprises policy generation,
validation, administration, distribution, decision and enforcement
- SicAri platform provides local policy enforcement, policy decision,
and policy administration
- proper interfaces allow integration of policy distribution, and
remote policy administration
- current plans to integrate corresponding modules, soon
Cryptography
- own independent ASN.1 implementation
- cryptographic provider from Technical University of Darmstadt,
Germany
Support of international and de facto standards
- ITU-T X.680/ITU-T X.690 (ASN.1,DER/BER)
- ITU-T X.509v3 (certificates, PKI)
- PKCS (digital signatures, certificate requests, certificate, PKI)
- JCA/JCE (Java cryptography architecture, Java cryptography extension,
pluggable cryptographic service providers (CSPs), flexible algorithm
support, use of third party CSPs possible)
- ZIP/JAR as standard for storage of components
- SSL/TLS: remote configuration, agent transport
- LDAP: certificate management
- WS-Enc, WS-DSig, SAML, XACML: and other WS-Security standards